Security Training Falling Through the Education Cracks : Page 2

Even today, the average developer is insufficiently trained in secure coding practices, and few universities are paying any attention. A panel of experts discusses where the blameand responsibilityfor security training lies.

by Glen Kunene, Senior Managing Editor

Feb 22, 2005

Page 2 of 2

Better Training on the Job?
Not everyone was down on higher education, however. SPI Dynamics, based in Atlanta, uses Georgia Tech computer science interns. CTO and Founder Caleb Sima raved about the skills these young programmers displayed. They were tasked with finding the bugs in assigned code blocks, where SPI Dynamics hid flaws. The interns were so good that SPI Dynamics began turning them loose on code that wasn't intentionally "bugged" and asked them to fulfill the same mission. The exercise turned out to have a similar premise to a game that they played in one of their Georgia Tech courses.

At Oracle, explained Davidson, finding vulnerabilities is no game for development teams. Her directive to her teams: "You're accountable for every line of code you write." Proving that they were dead serious, Oracle put its development teams through secure coding training, gave them the top few vulnerabilities on which to focus ("a one-pager"), and told them to find and fix them in their code. Then the code was audited and if any of those vulnerabilities were found, according to Davidson, "no bonus, no stock options [for the responsible teams]."

Taking such a hard-line and investing real money in training to back it up may be the only way to change a software culture that doesn't highly value security. Theresa Lanowitz, a Gartner research director focused on application testing and development, frequently hears the gripes about the lack of skills from her clients. "It's the number one concern they cite," she said. "Yet training and education rank second-to-last in many budgets."

"Everybody salutes the education flag but most people don't have time," explained Cohen, a 24-year veteran of the IT industry. "Education has to happen to people while they do their jobs. We can't stop the corporate engine to teach."

Winkler, who does not believe in security certifications, also advocated on-the-job training. He explained that the number of classroom hours required to complete some security certifications is equivalent to only a single workweek in the real world. "You can't learn security in [a classroom] environment," he said.

The problem with teaching developer security on the job is that the consequences of mistakes are very real. An overlooked vulnerability may result in a failing grade in the classroom, but in production code it can cost a software company millions. The comments at the Secure Software Forum indicate that management has grown weary of allowing their companies to be the laboratories where recent computer science graduates learn from their mistakes. They believe that's what colleges are for.